Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
3. The method of claim 2, wherein the account identifier of the user account comprises at least a portion of a funding primary account number, and an identifier of the credential comprises a device primary account number that corresponds to the funding primary account number.
This invention relates to secure financial transaction systems, specifically methods for linking user accounts with transaction credentials. The problem addressed is ensuring secure and efficient authentication in payment systems where multiple credentials may be associated with a single funding account. The method involves a system that processes transactions by verifying a user account identifier and a credential identifier. The user account identifier includes at least part of a funding primary account number (PAN), which is the primary financial account used for transactions. The credential identifier is a device PAN that corresponds to the funding PAN, representing a specific payment credential (e.g., a card or digital wallet entry) linked to the funding account. By matching these identifiers, the system ensures that transactions are authorized only when the credential is valid and properly associated with the funding account. This approach enhances security by preventing unauthorized use of credentials not linked to the funding account. It also improves transaction efficiency by streamlining the verification process through direct PAN correlation. The method is particularly useful in environments where multiple credentials may access a single funding source, such as mobile wallets or multi-card payment systems. The system may further include steps to validate the credential's authenticity and ensure compliance with financial regulations.
4. The method of claim 3, wherein the application programming interface is configured to access the secure element using the at least the portion of the funding primary account number to determine whether the credential having the device primary account number that corresponds to the funding primary account number is provisioned on the secure element.
This invention relates to secure digital payment systems, specifically methods for verifying the provisioning status of payment credentials on a secure element using an application programming interface (API). The problem addressed is ensuring secure and efficient verification of whether a payment credential, such as a tokenized card number, is properly provisioned on a secure element within a device, such as a smartphone or wearable, before enabling transactions. The method involves an API that interacts with the secure element to check the provisioning status of a credential. The API uses at least a portion of a funding primary account number (PAN) to determine whether a corresponding credential, identified by a device primary account number (DPAN), is provisioned on the secure element. The funding PAN is the original account number linked to the payment credential, while the DPAN is the tokenized or virtual account number used for transactions. The secure element is a tamper-resistant hardware component that stores sensitive payment data securely. The API performs this verification by comparing the funding PAN or its portion with the provisioned credentials in the secure element. If the credential with the matching DPAN is found, the API confirms provisioning, enabling the device to proceed with transactions. This ensures that only properly provisioned credentials are used, enhancing security and preventing unauthorized transactions. The method supports dynamic verification, allowing real-time checks during payment processing.
5. The method of claim 2, wherein the response data is received via the online resource and from the server.
6. The method of claim 5, wherein provisioning, responsive to the selection of the provisioning option, the credential on the secure element comprises passing at least a portion of the response data to the application programing interface that is authorized to access the secure element.
8. The method of claim 1, wherein the online resource comprises at least one of an online application or a website.
10. The device of claim 9, wherein the application programming interface comprises an operating system application programming interface that is authorized to access the secure element of the device.
11. The device of claim 10, wherein the account identifier of the account comprises at least a portion of a funding primary account number, and an identifier of the corresponding credential comprises a device primary account number that corresponds to the funding primary account number.
A payment processing system enables secure transactions by linking a funding account to a device-based credential. The system includes a payment device with a credential stored in a secure element, where the credential is associated with a device primary account number (PAN). The funding account, which may be a bank account or credit line, is identified by a funding PAN. The device PAN is linked to the funding PAN, allowing transactions to be processed using the device credential while drawing funds from the associated funding account. This approach enhances security by isolating the funding PAN from direct exposure during transactions, reducing fraud risks. The system may also include a server to manage the relationship between the device PAN and the funding PAN, ensuring proper routing of transactions. The credential stored on the device is used to authenticate and authorize payments, while the funding PAN remains confidential. This method improves transaction security by minimizing exposure of sensitive account information while maintaining seamless payment functionality.
12. The device of claim 11, wherein the operating system application programming interface is configured to access the secure element using the at least the portion of the funding primary account number to obtain the indication of whether the corresponding credential is provisioned on the secure element.
13. The device of claim 10, wherein the management operation comprises provisioning the corresponding credential on the secure element when the indication indicates that the corresponding credential is not provisioned on the secure element, and the management operation comprises removing the corresponding credential from the secure element when the indication indicates that the corresponding credential is provisioned on the secure element of the device.
This invention relates to secure credential management in electronic devices, particularly for managing credentials stored on a secure element. The problem addressed is the need for efficient and secure provisioning and removal of credentials, such as payment or authentication credentials, on a device's secure element to ensure proper access control and security. The device includes a secure element capable of storing credentials and a processor configured to perform credential management operations. The management operation involves checking whether a credential is already provisioned on the secure element. If the credential is not provisioned, the device provisions the credential on the secure element. Conversely, if the credential is already provisioned, the device removes the credential from the secure element. This ensures that credentials are only present when needed, reducing security risks and optimizing storage. The secure element may be a hardware-based security module, such as a trusted execution environment (TEE) or a secure enclave, designed to protect sensitive data. The processor interacts with the secure element to perform the provisioning and removal operations, ensuring that credentials are managed securely. The device may also include communication interfaces to receive credential data or management instructions from external sources, such as a server or a user interface. This invention improves security by dynamically managing credential presence on the secure element, preventing unauthorized access and ensuring compliance with security policies. It is particularly useful in mobile devices, payment systems, and authentication platforms where secure credential handling is critical.
15. The device of claim 14, wherein the at least one processor is configured to facilitate performing the management operation by passing at least a portion of the response data to the operating system application programing interface.
16. The device of claim 9, wherein the online resource comprises at least one of an online application or a website.
18. The non-transitory machine-readable medium of claim 17, wherein the application programming interface comprises an operating system level application programming interface that is authorized to access the secure element of the electronic device.
The invention relates to secure data processing in electronic devices, particularly involving secure elements and application programming interfaces (APIs). The problem addressed is the need for secure and controlled access to sensitive data stored in secure elements, such as those used in mobile devices for payment, authentication, or identity verification. Secure elements are tamper-resistant hardware components that store and process sensitive information, but accessing them requires proper authorization to prevent unauthorized data exposure or manipulation. The invention provides a non-transitory machine-readable medium containing instructions for implementing an application programming interface (API) that facilitates secure interactions with a secure element in an electronic device. The API operates at the operating system level, meaning it is deeply integrated into the device's core software, allowing it to manage access permissions and enforce security policies. This ensures that only authorized applications or processes can interact with the secure element, reducing the risk of data breaches or unauthorized access. The API may include functions for reading, writing, or executing operations within the secure element while maintaining the integrity and confidentiality of the stored data. By operating at the operating system level, the API can enforce consistent security measures across different applications, improving overall system security. This approach is particularly useful in environments where secure transactions, such as mobile payments or digital identity verification, are performed.
19. The non-transitory machine-readable medium of claim 18, wherein the response data is received via the online resource and from the server.
20. The non-transitory machine-readable medium of claim 19, wherein the code to facilitate provisioning the corresponding credential on the secure element of the electronic device comprises code to provide at least a portion of the response data to the operating system level application programming interface that is authorized to access the secure element of the electronic device.
This invention relates to secure credential provisioning in electronic devices, particularly for enabling secure access to a secure element (SE) within the device. The problem addressed is the secure and efficient transfer of credential data to the SE, which is a tamper-resistant hardware component used for storing sensitive information like payment credentials or authentication keys. The invention involves a non-transitory machine-readable medium storing code that facilitates provisioning credentials onto the SE of an electronic device. The code includes instructions to receive a request for credential provisioning, generate a response data set containing the credential, and provide at least a portion of this response data to an operating system-level application programming interface (API). This API is authorized to access the SE, ensuring secure transmission of the credential data. The system ensures that only authorized applications can interact with the SE, maintaining the integrity and security of the provisioned credentials. The invention may also include additional steps such as validating the request, encrypting the credential data, or logging the provisioning process for auditing purposes. The overall solution enhances security by restricting access to the SE and ensuring that credential provisioning is performed through authorized channels.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 10, 2019
November 1, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.